eslint-plugin-redos
Advanced tools
$ npm install eslint-plugin-redos
Then, in your .eslintrc.json:
{
"plugins": ["redos"],
"rules": {
"redos/no-vulnerable": "error"
}
}
This plugin contains the only rule redos/no-vulnerable.
redos/no-vulnerable)Almost all JavaScript's RegExp matching engines are backtrack based,
and it is known that such an engine causes ReDoS (Regular Expression Denial of Service) vulnerability.
This rule detects a RegExp literal causing problematic backtracking behavior potentially.
:-1: Examples of incorrect code for this rule:
/*eslint redos/no-vulnerable: "error"*/
// Exponential times backtracking examples:
/^(a*)*$/;
/^(a|a)*$/;
/^(a|b|ab)*$/;
// Polynomial times backtracking examples:
/^a*a*$/;
/^[\s\u200c]+|[\s\u200c]+$/; // See https://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016.
:+1: Examples of correct code for this rule:
/*eslint redos/no-vulnerable: "error"*/
// Fixed times backtracking examples:
/^a$/;
/^foo$/;
// Linear times backtracking examples;
/foo/;
/(a*)*/;
The following is the default configuration.
{
"redos/no-vulnerable": [
"error",
{
"ignoreErrors": true,
"permittableComplexities": [],
"timeout": 10000,
"checker": "hybrid"
}
]
}
ignoreErrorsThis flag is used to determine to ignore errors on ReDoS vulnerable detection.
Errors on ReDoS vulnerable detection are:
They are ignored because they are noisy usually.
permittableComplexityThis array option controls permittable matching complexity. It allows the following values.
'polynomial''exponential'We strongly recommend considering 'polynomial' matching complexity RegExp as ReDoS vulnerable.
However, this option can disable it.
timeoutThis option specifies a time-out limit for ReDoS analyzing.
A time-unit is milli-seconds.
If null is specified, it means unlimited time-out.
The default value is 10000 (10 seconds).
checkerThis option specifies a checker name to use.
It is one of 'hybrid', 'automaton' and 'fuzz'.
See the @makenowjust-labo/redos documentation for the detailed information.
The default value is 'hybrid'.
MIT license.
2020 (C) TSUYUSATO "MakeNowJust" Kitsune
1.2.0 (2021-01-02)
Changes:
max from FString.Repeatredos-core to redosMultiNFA to NFAwLAFixes:
FAQs
ESLint plugin for catching ReDoS vulnerability
The npm package eslint-plugin-redos receives a total of 16,018 weekly downloads. As such, eslint-plugin-redos popularity was classified as popular.
We found that eslint-plugin-redos demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.
Security News
Research
Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.
Security News
The npm package for the LottieFiles Player web component was hit with a supply chain attack after a software engineer's npmjs credentials were compromised.